Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe

Overview

General Information

Sample Name:PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
Analysis ID:680480
MD5:62881881e70f226d8c23a01cdc7287dd
SHA1:e714f5f755f77c24cc7ff4b8a593a3fe76cabeb7
SHA256:b6b281587ead8881ceb6f0f6ba621f2d0c40e120e3314dcac601cc7f5877b3da
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Creates processes with suspicious names
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.artrsllc.com/", "Username": "whitemoney11@artrsllc.com", "Password": "aJ{?30{raou;"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x3005f:$a13: get_DnsResolver
      • 0x2e86f:$a20: get_LastAccessed
      • 0x309dd:$a27: set_InternalServerPort
      • 0x30d0f:$a30: set_GuidMasterKey
      • 0x2e976:$a33: get_Clipboard
      • 0x2e984:$a34: get_Keyboard
      • 0x2fc7c:$a35: get_ShiftKeyDown
      • 0x2fc8d:$a36: get_AltKeyDown
      • 0x2e991:$a37: get_Password
      • 0x2f42c:$a38: get_PasswordHash
      • 0x3045f:$a39: get_DefaultCredentials
      00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 10 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x30d28:$s10: logins
              • 0x3078f:$s11: credential
              • 0x2cd76:$g1: get_Clipboard
              • 0x2cd84:$g2: get_Keyboard
              • 0x2cd91:$g3: get_Password
              • 0x2e06c:$g4: get_CtrlKeyDown
              • 0x2e07c:$g5: get_ShiftKeyDown
              • 0x2e08d:$g6: get_AltKeyDown
              0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x2e45f:$a13: get_DnsResolver
              • 0x2cc6f:$a20: get_LastAccessed
              • 0x2eddd:$a27: set_InternalServerPort
              • 0x2f10f:$a30: set_GuidMasterKey
              • 0x2cd76:$a33: get_Clipboard
              • 0x2cd84:$a34: get_Keyboard
              • 0x2e07c:$a35: get_ShiftKeyDown
              • 0x2e08d:$a36: get_AltKeyDown
              • 0x2cd91:$a37: get_Password
              • 0x2d82c:$a38: get_PasswordHash
              • 0x2e85f:$a39: get_DefaultCredentials
              4.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 11 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeVirustotal: Detection: 52%Perma Link
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeReversingLabs: Detection: 36%
                Antivirus detection for URL or domain
                Source: http://ftp.artrsllc.comAvira URL Cloud: Label: malware
                Source: ftp://ftp.artrsllc.com/whitemoney11Avira URL Cloud: Label: malware
                Multi AV Scanner detection for domain / URL
                Source: ftp.artrsllc.comVirustotal: Detection: 14%Perma Link
                Machine Learning detection for sample
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeJoe Sandbox ML: detected
                Source: 4.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.artrsllc.com/", "Username": "whitemoney11@artrsllc.com", "Password": "aJ{?30{raou;"}
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Joe Sandbox ViewASN Name: DIMENOCUS DIMENOCUS
                Source: Joe Sandbox ViewIP Address: 107.161.178.166 107.161.178.166
                Source: unknownFTP traffic detected: 107.161.178.166:21 -> 192.168.2.7:49765 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 10:21. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 10:21. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 10:21. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 10:21. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                Source: RegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://ftp.artrsllc.com/whitemoney11
                Source: RegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: RegSvcs.exe, 00000004.00000002.614573955.000000000369F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000003.398330369.00000000013D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://A2hAjAc0p86apb.com
                Source: RegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: RegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ZhDbKe.com
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: RegSvcs.exe, 00000004.00000002.614649601.00000000036AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.artrsllc.com
                Source: RegSvcs.exe, 00000004.00000002.614573955.000000000369F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345901174.0000000005C54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.372509100.00000000013C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345471162.0000000005C59000.00000004.00000800.00020000.00000000.sdmp, PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345431980.0000000005C51000.00000004.00000800.00020000.00000000.sdmp, PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345410083.0000000005C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmp, PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345835240.0000000005C54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cne
                Source: RegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: ftp.artrsllc.com

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.3f65328.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.3f65328.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe PID: 6172, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: RegSvcs.exe PID: 6444, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                .NET source code contains very large array initializations
                Source: 4.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b606A6EF8u002d1437u002d42D4u002dBB2Bu002dDB42737768F5u007d/u003257ED7A8u002d3564u002d4CB1u002dA8C6u002dF677993BBB48.csLarge array initialization: .cctor: array initializer size 11612
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.3f65328.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.3f65328.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe PID: 6172, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
                Source: Process Memory Space: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe PID: 6172, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: RegSvcs.exe PID: 6444, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeCode function: 0_2_011F50C20_2_011F50C2
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeCode function: 0_2_011FC9940_2_011FC994
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_017AF0804_2_017AF080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_017AF3C84_2_017AF3C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_017AAD204_2_017AAD20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069872B04_2_069872B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698C3984_2_0698C398
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069898F04_2_069898F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069877504_2_06987750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069833304_2_06983330
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069BB3584_2_069BB358
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069BBB684_2_069BBB68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069B28D04_2_069B28D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069B80404_2_069B8040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069BC4404_2_069BC440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069BBA184_2_069BBA18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069BC3DC4_2_069BC3DC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069B9B704_2_069B9B70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069B3CB84_2_069B3CB8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06D036A04_2_06D036A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06D045284_2_06D04528
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06D011084_2_06D01108
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06D08A084_2_06D08A08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698D3D04_2_0698D3D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698A3484_2_0698A348
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.373214199.0000000002E91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.373214199.0000000002E91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegwctxUAuFOvrUAEZshgxt.exe4 vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000000.336604589.0000000000912000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameE7OiW.exeH vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.383751391.0000000005DC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.387769467.00000000077D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegwctxUAuFOvrUAEZshgxt.exe4 vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.379273016.0000000003417000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeBinary or memory string: OriginalFilenameE7OiW.exeH vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeVirustotal: Detection: 52%
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeReversingLabs: Detection: 36%
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe "C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe"
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: 4.0.RegSvcs.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 4.0.RegSvcs.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698179A push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981792 push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698178E push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981782 push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817B9 push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817B2 push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817AA push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817A1 push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817DA push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817D1 push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817CA push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817C2 push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817EA push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817E2 push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698177A push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06982520 push edi; ret 4_2_06982526
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06983330 push es; iretd 4_2_069840B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06983330 push es; iretd 4_2_06984148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069818BD push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069840B1 push es; iretd 4_2_06984148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069818DD push es; ret 4_2_06981910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698181A push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981816 push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981832 push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698182A push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981826 push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698187E push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981872 push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981876 push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981862 push es; ret 4_2_069818C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981866 push es; ret 4_2_069818C4
                Source: initial sampleStatic PE information: section name: .text entropy: 7.410029605740152
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeFile created: \po#8155 pc_etg000137 cont wt ashwagandha 07-08-2022 wrdooo1.exe
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeFile created: \po#8155 pc_etg000137 cont wt ashwagandha 07-08-2022 wrdooo1.exeJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe PID: 6172, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe TID: 6196Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9568Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                Source: RegSvcs.exe, 00000004.00000002.618056160.0000000006719000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000003.408884630.0000000006716000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069B8040 LdrInitializeThunk,4_2_069B8040
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 436000Jump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000Jump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1137008Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.3f65328.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe PID: 6172, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6444, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: Yara matchFile source: 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6444, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.3f65328.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe PID: 6172, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6444, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		Path Interception211
                Process Injection                		1
                Masquerading                		2
                OS Credential Dumping                		211
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Exfiltration Over Alternative Protocol                		1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		1
                Credentials in Registry                		131
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol11
                Archive Collected Data                		Exfiltration Over Bluetooth1
                Non-Application Layer Protocol                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Application Window Discovery                		SMB/Windows Admin Shares2
                Data from Local System                		Automated Exfiltration11
                Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)211
                Process Injection                		NTDS1
                Remote System Discovery                		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets114
                System Information Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common2
                Obfuscated Files or Information                		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                Software Packing                		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe52%VirustotalBrowse
                PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe12%MetadefenderBrowse
                PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe37%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                4.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                SourceDetectionScannerLabelLink
                ftp.artrsllc.com15%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://ZhDbKe.com0%Avira URL Cloudsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.zhongyicts.com.cne0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://ftp.artrsllc.com100%Avira URL Cloudmalware
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                ftp://ftp.artrsllc.com/whitemoney11100%Avira URL Cloudmalware
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.fontbureau.comgrito0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://A2hAjAc0p86apb.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ftp.artrsllc.com
                		107.161.178.166
                		truetrueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://ZhDbKe.comRegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.apache.org/licenses/LICENSE-2.0PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.comPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bThePO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwRegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.comPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345901174.0000000005C54000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnePO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345835240.0000000005C54000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345471162.0000000005C59000.00000004.00000800.00020000.00000000.sdmp, PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345431980.0000000005C51000.00000004.00000800.00020000.00000000.sdmp, PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345410083.0000000005C50000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ftp.artrsllc.comRegSvcs.exe, 00000004.00000002.614649601.00000000036AD000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cThePO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              ftp://ftp.artrsllc.com/whitemoney11RegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://fontfabrik.comPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmp, PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://DynDns.comDynDNSnamejidpasswordPsi/PsiRegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleasePO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comgritoPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.372509100.00000000013C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleasePO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000004.00000002.614573955.000000000369F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sakkal.comPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://A2hAjAc0p86apb.comRegSvcs.exe, 00000004.00000002.614573955.000000000369F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000003.398330369.00000000013D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      107.161.178.166
                                      		ftp.artrsllc.comUnited States
                                      		33182DIMENOCUStrue

                                      General Information

                                      Joe Sandbox Version:35.0.0 Citrine
                                      Analysis ID:680480
                                      Start date and time: 08/08/202217:18:132022-08-08 17:18:13 +02:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 9m 51s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Sample file name:PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:18
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 76
                                      • Number of non-executed functions: 1
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Adjust boot time
                                      • Enable AMSI

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                      • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                      • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      17:19:29API Interceptor1x Sleep call for process: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe modified
                                      17:19:39API Interceptor695x Sleep call for process: RegSvcs.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      107.161.178.166SecuriteInfo.com.Trojan.Win32.Sonbokli.Acl.21128.exeGet hashmaliciousBrowse
                                      • www.artrsllc.com/hhj/bin_rFFXOXXc119.bin

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      ftp.artrsllc.comsvbhjvUpxT.exeGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      g0t8s6FogF.exeGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      MR2101.xlsxGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      AWB & Invoice #1006472.exeGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      STRONG MC RFQ.xlsxGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      j4jlFy6c2E.exeGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      lmeCj1CMGt.exeGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      INVOICE.pdf.exeGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      gBeVDbnS70.exeGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      G2859 QUOTE REQUIREMENT.xlsxGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      ERW Steel Pipe Price.xlsxGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      regasm_svchost.exeGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      ERW Steel Pipe Reference Price.xlsxGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      mon.exeGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      USD 97,334.10.xlsxGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      SHIPPING DOCUMENT.exeGet hashmaliciousBrowse
                                      • 107.161.178.166

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      DIMENOCUSTechnical Specifications & Drawings.exeGet hashmaliciousBrowse
                                      • 67.23.226.119
                                      invesssss.exeGet hashmaliciousBrowse
                                      • 184.171.242.24
                                      SKM_20220108.exeGet hashmaliciousBrowse
                                      • 199.168.190.154
                                      svbhjvUpxT.exeGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      g0t8s6FogF.exeGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      MR2101.xlsxGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      REQ_INACV-0022_005REQ282022.exeGet hashmaliciousBrowse
                                      • 198.49.74.82
                                      invoice.exeGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      BC35174.exeGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      Emrar Dis Ticaret ve Lojistik Payment Advice 46,273.15USD.exeGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      Emrar Dis Ticaret ve Lojistik Payment Advice 46,273.15USD.exeGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      TT USD56,670.00.exeGet hashmaliciousBrowse
                                      • 199.168.190.154
                                      P0Omx6k3yL.exeGet hashmaliciousBrowse
                                      • 67.23.238.102
                                      MSmReFKunQ.dllGet hashmaliciousBrowse
                                      • 186.227.207.53
                                      sAeOYTx3B8.dllGet hashmaliciousBrowse
                                      • 67.23.252.137
                                      9S61ROG4hN.dllGet hashmaliciousBrowse
                                      • 177.234.151.249
                                      https://tracker.enginemailer.org/CampClickThru/EngineMailerCampaign_clickThru.aspx?TSStr=XNHTdtXB67x8Fqd449lReA%3D%3D&URL=http://z7.fermrtdz.pagamenom.com.br.#.aHR0cHM6Ly93d3cuYWx5b3VtYWxtYXNyeS5uZXQvY2FyZC9yZWQvNzc1Ny8yMC8yMDIyIDk6NDk6MjMgQU0yMDc3NS43NzUuNzc1LldlZC5bMjMyMjcvMjAvMjAyMiA5OjQ5OjIzIEFNbzQ5MjBdLldlZG5lc2RheSwgSnVseSAyMCwgMjAyMi43NzU3LzIwLzIwMjIgOTo0OToyMyBBTTIwNzc1Ljc3NS43NzUuV2VkLlsyMzIyNy8yMC8yMDIyIDk6NDk6MjMgQU1vNDkyMF0uV2VkbmVzZGF5LCBKdWx5IDIwLCAyMDIyL2pjYXByYXJvQGljb25lY3Rpdi5jb20=Get hashmaliciousBrowse
                                      • 67.23.238.83
                                      AWB & Invoice #1006472.exeGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      STRONG MC RFQ.xlsxGet hashmaliciousBrowse
                                      • 107.161.178.166
                                      j4jlFy6c2E.exeGet hashmaliciousBrowse
                                      • 107.161.178.166

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.355304211458859
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                      MD5:69206D3AF7D6EFD08F4B4726998856D3
                                      SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                      SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                      SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                      Malicious:true
                                      Reputation:high, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.406669599964873
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                                      File size:880128
                                      MD5:62881881e70f226d8c23a01cdc7287dd
                                      SHA1:e714f5f755f77c24cc7ff4b8a593a3fe76cabeb7
                                      SHA256:b6b281587ead8881ceb6f0f6ba621f2d0c40e120e3314dcac601cc7f5877b3da
                                      SHA512:ae0cdefc3ae27ee559dd261eef14130210b243a37fd51d0cb3abb67f273cd9f3280adcaeeb8d544f6ff32c0d0f1bc8b6b8e4a9092f48e6cb0ac7cb27f130e4d3
                                      SSDEEP:24576:Jgrg0jwi9BHtgL1NSin5uq5n11fDARrII:qg0RBN8146uknrfDA
                                      TLSH:3F155CA9319071DFD927CA72CAA81C34EA517C77A71B921794633198DB3E987DF200B3
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P.b..............P..X...........v... ........@.. ....................................@................................

                                      File Icon

                                      Icon Hash:00828e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x4d76ae
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x62F05019 [Sun Aug 7 23:51:53 2022 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xd76540x57.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd80000x11f0.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xd56b40xd5800False0.7426186054596019data7.410029605740152IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0xd80000x11f00x1200False0.3934461805555556data5.04651876632834IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xda0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_VERSION0xd80a00x334data
                                      RT_MANIFEST0xd83d40xe15XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 8, 2022 17:19:52.324122906 CEST4976521192.168.2.7107.161.178.166
                                      Aug 8, 2022 17:19:52.453358889 CEST2149765107.161.178.166192.168.2.7
                                      Aug 8, 2022 17:19:52.453870058 CEST4976521192.168.2.7107.161.178.166
                                      Aug 8, 2022 17:19:52.461240053 CEST4976521192.168.2.7107.161.178.166
                                      Aug 8, 2022 17:19:52.583769083 CEST2149765107.161.178.166192.168.2.7
                                      Aug 8, 2022 17:19:52.583904028 CEST4976521192.168.2.7107.161.178.166
                                      Aug 8, 2022 17:19:52.590502977 CEST2149765107.161.178.166192.168.2.7
                                      Aug 8, 2022 17:19:52.590625048 CEST4976521192.168.2.7107.161.178.166
                                      Aug 8, 2022 17:19:52.590635061 CEST2149765107.161.178.166192.168.2.7
                                      Aug 8, 2022 17:19:52.590712070 CEST4976521192.168.2.7107.161.178.166

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 8, 2022 17:19:52.141880035 CEST6097853192.168.2.78.8.8.8
                                      Aug 8, 2022 17:19:52.280396938 CEST53609788.8.8.8192.168.2.7

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Aug 8, 2022 17:19:52.141880035 CEST192.168.2.78.8.8.80xa05eStandard query (0)ftp.artrsllc.comA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Aug 8, 2022 17:19:52.280396938 CEST8.8.8.8192.168.2.70xa05eNo error (0)ftp.artrsllc.com107.161.178.166A (IP address)IN (0x0001)

                                      FTP Packets

                                      TimestampSource PortDest PortSource IPDest IPCommands
                                      Aug 8, 2022 17:19:52.583769083 CEST2149765107.161.178.166192.168.2.7220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 10:21. Server port: 21.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 10:21. Server port: 21.220-This is a private system - No anonymous login
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 10:21. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 10:21. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                      Aug 8, 2022 17:19:52.590502977 CEST2149765107.161.178.166192.168.2.7220 Logout.

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:17:19:18
                                      Start date:08/08/2022
                                      Path:C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe"
                                      Imagebase:0x910000
                                      File size:880128 bytes
                                      MD5 hash:62881881E70F226D8C23A01CDC7287DD
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      Reputation:low

                                      General

                                      Target ID:4
                                      Start time:17:19:32
                                      Start date:08/08/2022
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      Wow64 process (32bit):true
                                      Commandline:{path}
                                      Imagebase:0xf80000
                                      File size:45152 bytes
                                      MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:13.7%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:78
                                        Total number of Limit Nodes:4
                                        execution_graph 7050 11fcaa8 7051 11fcad9 GetCurrentProcess 7050->7051 7052 11fcb22 GetCurrentThread 7051->7052 7055 11fcb1b 7051->7055 7053 11fcb5f GetCurrentProcess 7052->7053 7054 11fcb58 7052->7054 7056 11fcb95 7053->7056 7054->7053 7055->7052 7057 11fcbbd GetCurrentThreadId 7056->7057 7058 11fcbee 7057->7058 7048 11fccd0 DuplicateHandle 7049 11fcd66 7048->7049 7059 11f72c0 7060 11f72da 7059->7060 7063 11f6314 7060->7063 7062 11f72ec 7064 11f631f 7063->7064 7067 11f6334 7064->7067 7066 11f7455 7066->7062 7068 11f633f 7067->7068 7071 11f6364 7068->7071 7070 11f753a 7070->7066 7072 11f636f 7071->7072 7075 11f6394 7072->7075 7074 11f762a 7074->7070 7076 11f639f 7075->7076 7077 11f8146 7076->7077 7083 11fa298 7076->7083 7087 11fa2d0 7076->7087 7090 11fa2c1 7076->7090 7078 11f8184 7077->7078 7094 11fc3d1 7077->7094 7078->7074 7085 11fa2c1 2 API calls 7083->7085 7086 11fa2d0 2 API calls 7083->7086 7084 11fa2ae 7084->7077 7085->7084 7086->7084 7099 11fa3c8 7087->7099 7088 11fa2df 7088->7077 7091 11fa2d0 7090->7091 7093 11fa3c8 2 API calls 7091->7093 7092 11fa2df 7092->7077 7093->7092 7095 11fc401 7094->7095 7096 11fc425 7095->7096 7119 11fc57f 7095->7119 7123 11fc590 7095->7123 7096->7078 7100 11fa3db 7099->7100 7101 11fa3f3 7100->7101 7107 11fa650 7100->7107 7111 11fa640 7100->7111 7101->7088 7102 11fa3eb 7102->7101 7103 11fa5f0 GetModuleHandleW 7102->7103 7104 11fa61d 7103->7104 7104->7088 7108 11fa664 7107->7108 7110 11fa689 7108->7110 7115 11f97a0 7108->7115 7110->7102 7113 11fa650 7111->7113 7112 11fa689 7112->7102 7113->7112 7114 11f97a0 LoadLibraryExW 7113->7114 7114->7112 7116 11fac30 LoadLibraryExW 7115->7116 7118 11faca9 7116->7118 7118->7110 7120 11fc590 7119->7120 7121 11fc5d7 7120->7121 7127 11faa8c 7120->7127 7121->7096 7124 11fc59d 7123->7124 7125 11faa8c 2 API calls 7124->7125 7126 11fc5d7 7124->7126 7125->7126 7126->7096 7128 11faa97 7127->7128 7129 11fd2c8 7128->7129 7131 11fc6c4 7128->7131 7132 11fc6cf 7131->7132 7133 11f6394 2 API calls 7132->7133 7134 11fd337 7133->7134 7137 11ff0d0 7134->7137 7135 11fd370 7135->7129 7139 11ff101 7137->7139 7140 11ff14e 7137->7140 7138 11ff10d 7138->7135 7139->7138 7142 11ff418 7139->7142 7140->7135 7143 11fa3c8 LoadLibraryExW GetModuleHandleW 7142->7143 7144 11ff421 7143->7144 7144->7140

                                        Executed Functions

                                        Function 011F50C2 Relevance: 1.6, Strings: 1, Instructions: 313COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 100 11f50c2-11f50c3 101 11f504e 100->101 102 11f50c5-11f50ce 100->102 103 11f5055-11f5066 call 11f50c2 101->103 104 11f5050 101->104 105 11f50d5-11f5113 102->105 106 11f50d0 102->106 111 11f506c-11f508f 103->111 104->103 107 11f5119 105->107 108 11f5232 105->108 106->105 109 11f5120-11f513c 107->109 110 11f5239-11f5241 108->110 112 11f513e 109->112 113 11f5145-11f5146 109->113 123 11f524d-11f5276 110->123 112->107 112->113 114 11f52bd-11f52d0 112->114 115 11f517a-11f51ab 112->115 116 11f5419-11f542b 112->116 117 11f5357-11f536a 112->117 118 11f5216-11f5230 call 11f4834 112->118 119 11f51f5-11f51f9 112->119 120 11f52d5-11f52fe 112->120 121 11f51b0-11f51b4 112->121 122 11f536f-11f53c0 112->122 112->123 124 11f53cb-11f53dd 112->124 125 11f514b-11f5178 112->125 126 11f51e7-11f51f0 112->126 127 11f53e2-11f53e6 112->127 113->116 114->109 115->109 136 11f542d-11f543a 116->136 137 11f543c 116->137 117->109 118->110 131 11f51ff-11f5211 119->131 132 11f56cc-11f56ee 119->132 152 11f5308 120->152 153 11f5300-11f5306 120->153 129 11f51c7-11f51ce 121->129 130 11f51b6-11f51c5 121->130 122->124 149 11f5278-11f527e 123->149 150 11f5280 123->150 124->109 125->109 126->109 134 11f53f9-11f5400 127->134 135 11f53e8-11f53f7 127->135 139 11f51d5-11f51e2 129->139 130->139 131->109 144 11f5407-11f5414 134->144 135->144 146 11f543f 136->146 137->146 139->109 144->109 156 11f5446-11f5620 146->156 155 11f5283-11f52b8 149->155 150->155 158 11f530b-11f5352 152->158 153->158 155->109 163 11f5621 156->163 158->109 165 11f5628-11f5644 163->165 166 11f564d-11f564e 165->166 167 11f5646 165->167 171 11f56c8-11f56c9 166->171 167->163 167->166 167->171 172 11f5650-11f5679 167->172 171->132 176 11f567b-11f5681 172->176 177 11f5683 172->177 178 11f5686-11f56c3 176->178 177->178 178->165
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.372155660.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11f0000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: k(50
                                        • API String ID: 0-2144684636
                                        • Opcode ID: c5b2a32b9138b90aefcfd8f94cbf5afff153ca9484725b7788cfcdb0db42dd69
                                        • Instruction ID: d4a26a61be98bfd82fdcfee9fbbc81a3791e02633247ad901562399b997a8a9d
                                        • Opcode Fuzzy Hash: c5b2a32b9138b90aefcfd8f94cbf5afff153ca9484725b7788cfcdb0db42dd69
                                        • Instruction Fuzzy Hash: 37D12474E04219CFCB58CFA4D984ADDBBB2FF49310F1095AAD60AAB354DB309985CF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011FCA99 Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 011FCB08
                                        • GetCurrentThread.KERNEL32 ref: 011FCB45
                                        • GetCurrentProcess.KERNEL32 ref: 011FCB82
                                        • GetCurrentThreadId.KERNEL32 ref: 011FCBDB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.372155660.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11f0000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: 7c066e23b46f97b36131c8cad2347ba483e8d26b5326c34df06f99521455aceb
                                        • Instruction ID: 15aa89b171e95a8fa77baa2ed048851b95180cf7aa1bed0ab720945f92bb5f01
                                        • Opcode Fuzzy Hash: 7c066e23b46f97b36131c8cad2347ba483e8d26b5326c34df06f99521455aceb
                                        • Instruction Fuzzy Hash: FC5176B4D002498FDB04CFAAD948BDEBBF4EB48308F24859DE519B7750D7345988CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011FCAA8 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 011FCB08
                                        • GetCurrentThread.KERNEL32 ref: 011FCB45
                                        • GetCurrentProcess.KERNEL32 ref: 011FCB82
                                        • GetCurrentThreadId.KERNEL32 ref: 011FCBDB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.372155660.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11f0000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: 0c1a9a7c9a4caaa486ae43b3b8d5006c6b1449d9e83d506ef370c10329207e6b
                                        • Instruction ID: 43a0596b66b190695680c7c3cdf74eaef4a371040f4c35e07ebd115a77ce6837
                                        • Opcode Fuzzy Hash: 0c1a9a7c9a4caaa486ae43b3b8d5006c6b1449d9e83d506ef370c10329207e6b
                                        • Instruction Fuzzy Hash: F05164B4D002098FDB14CFAAD548BDEBBF4EB48308F24849DE519A7750D7345888CF61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011FA3C8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 011FA60E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.372155660.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11f0000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 30931fab9046e476d14a0fe2b17f91f529434f86872b28d9549bb92e7cfbfaff
                                        • Instruction ID: 9806d0b6589812d9665dce6496cae0916d6841da0b61bdb34f9d0830e81a3cee
                                        • Opcode Fuzzy Hash: 30931fab9046e476d14a0fe2b17f91f529434f86872b28d9549bb92e7cfbfaff
                                        • Instruction Fuzzy Hash: 54712870A00B058FDB28DF2AD54475ABBF5BF88204F048A2DD55AD7B50D738E8468F91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011FCCD0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 183 11fccd0-11fcd64 DuplicateHandle 184 11fcd6d-11fcd8a 183->184 185 11fcd66-11fcd6c 183->185 185->184
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011FCD57
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.372155660.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11f0000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: ee32e389181bf058f927eae47e43b438be65c3ca56e742de33157f4532d4e9ca
                                        • Instruction ID: fb6e4b361b9f0fb441ff70ab93951665ec1ca678ac17ce3dc84b459157faee7f
                                        • Opcode Fuzzy Hash: ee32e389181bf058f927eae47e43b438be65c3ca56e742de33157f4532d4e9ca
                                        • Instruction Fuzzy Hash: 8921E2B5D00209AFDB10CFAAD884ADEBFF8FB48324F14841AE914A3750D374A944DFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011F97A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 188 11f97a0-11fac70 190 11fac78-11faca7 LoadLibraryExW 188->190 191 11fac72-11fac75 188->191 192 11faca9-11facaf 190->192 193 11facb0-11faccd 190->193 191->190 192->193
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011FA689,00000800,00000000,00000000), ref: 011FAC9A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.372155660.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11f0000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: a8a1ab9e5fd040a52a109d62ae07532d19d4d0aaf548c03ecf9b9d06efbb8c47
                                        • Instruction ID: 36a8ba188720a2462cd54f8137c747d290c454b6dcf5929f8d7e5b13b73d4e01
                                        • Opcode Fuzzy Hash: a8a1ab9e5fd040a52a109d62ae07532d19d4d0aaf548c03ecf9b9d06efbb8c47
                                        • Instruction Fuzzy Hash: BD1100B6D002099FDB14CF9AD444BDEFBF8EB48364F04842EE919A7610C379A945CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011FAC29 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 196 11fac29-11fac70 197 11fac78-11faca7 LoadLibraryExW 196->197 198 11fac72-11fac75 196->198 199 11faca9-11facaf 197->199 200 11facb0-11faccd 197->200 198->197 199->200
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011FA689,00000800,00000000,00000000), ref: 011FAC9A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.372155660.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11f0000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 8ed63cfde1be6e734fe7ae6748f89f96ef1e0c6d6758e1e19ef0dfc3d18e3bab
                                        • Instruction ID: 7555ac2227aadf5d89ad834867637a881758a70418df5724657e86933eeda580
                                        • Opcode Fuzzy Hash: 8ed63cfde1be6e734fe7ae6748f89f96ef1e0c6d6758e1e19ef0dfc3d18e3bab
                                        • Instruction Fuzzy Hash: 2D1112B6D002098FDB14CF9AD945BDEFBF4AF48364F04851AD919B7600C378A645CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011FA5A8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 203 11fa5a8-11fa5e8 204 11fa5ea-11fa5ed 203->204 205 11fa5f0-11fa61b GetModuleHandleW 203->205 204->205 206 11fa61d-11fa623 205->206 207 11fa624-11fa638 205->207 206->207
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 011FA60E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.372155660.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11f0000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: ab34ab6df9074a5cc9a932b3aa6de476241b3be1645e7ac049c179946bf0f2f8
                                        • Instruction ID: f80740c882e0f2151c2b9d0038ca8d7ef4329024935013c0d1aee84d5a9f285d
                                        • Opcode Fuzzy Hash: ab34ab6df9074a5cc9a932b3aa6de476241b3be1645e7ac049c179946bf0f2f8
                                        • Instruction Fuzzy Hash: 9F1110B2C002498FDB14CF9AD444BDEFBF8EF88224F14845AD929A7610D378A545CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0119D3B4 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.371882884.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_119d000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f159f478200b2d8753ed2e4de2f463362c91b206b2ea7b7351422f592b0da557
                                        • Instruction ID: e1e5c32940fcad4da202c1dbb3e4936f2fefcf15536326de7a772b2bb36a02d5
                                        • Opcode Fuzzy Hash: f159f478200b2d8753ed2e4de2f463362c91b206b2ea7b7351422f592b0da557
                                        • Instruction Fuzzy Hash: FE2107B1504240EFDF09DF54E9C0BA6BF65FB84324F24C569E8090BB46C336E856C7A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0119D4A0 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.371882884.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_119d000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d7e3453c612e27c105e554d9f8a7725c17c6a2f5b50e23bfbb30b4d284af1c75
                                        • Instruction ID: 55f38fa49493020d5b4ec10d085bbdcb65bc43befe3f9ec8dde61181ea6e73f7
                                        • Opcode Fuzzy Hash: d7e3453c612e27c105e554d9f8a7725c17c6a2f5b50e23bfbb30b4d284af1c75
                                        • Instruction Fuzzy Hash: B221F871504240DFEF09DF54E9C0B56BF75FB84328F24C569E9054B616C336D855C7A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011AD01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.371979820.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11ad000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3e43f20bbb696558e36d9f807e74320dc36a51c757e3efab5a6bc1284aee6199
                                        • Instruction ID: fe141048dc6e4b8c82dd8a8bf236292d1aa41471b49aa56bc87e4d79812c5278
                                        • Opcode Fuzzy Hash: 3e43f20bbb696558e36d9f807e74320dc36a51c757e3efab5a6bc1284aee6199
                                        • Instruction Fuzzy Hash: 50214578544600EFCF18CF54EAC0B16BF65FB84354F60C96DD8094BB42C336D806CAA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011AD1D4 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.371979820.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11ad000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b6a1553dd6d72df64be3be651c4c676d908702dd617d8ae04c2ede48cec3ec9e
                                        • Instruction ID: 6556b74c8c68834f14e729f32d12e3d1620adbdd6380c9beff954476e262da88
                                        • Opcode Fuzzy Hash: b6a1553dd6d72df64be3be651c4c676d908702dd617d8ae04c2ede48cec3ec9e
                                        • Instruction Fuzzy Hash: 95213779504600EFDF09CF54E9C0B26BF65FB84324F60C96EE8094BB52C336D846CAA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011AD006 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.371979820.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11ad000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 038c15ca2c10a8ebfbcb683b6ac3b4eefa713ac49c59fcf8a3533deb79464b76
                                        • Instruction ID: e9e150e787d4ef93b5389e555531c5783776a143a2b8d9576e5f5c726567c02b
                                        • Opcode Fuzzy Hash: 038c15ca2c10a8ebfbcb683b6ac3b4eefa713ac49c59fcf8a3533deb79464b76
                                        • Instruction Fuzzy Hash: 702192754487809FCB07CF24D994B11BF71EF46214F28C5DAD8458F667C33A985ACB62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0119D49B Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.371882884.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_119d000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe53f467f22d3fc093544a00d5bb9c4584ce373a2e28d25d0498f2e1268a348e
                                        • Instruction ID: da47f2acf9a21cb9a9105c0e99dba32cd6c9f91218a36700d5bb77ee1ff38ea7
                                        • Opcode Fuzzy Hash: fe53f467f22d3fc093544a00d5bb9c4584ce373a2e28d25d0498f2e1268a348e
                                        • Instruction Fuzzy Hash: DD11E172804280CFDF06CF44E9C0B16BF71FB84324F24C6A9D8054B616C336D456CBA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0119D3AF Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.371882884.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_119d000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe53f467f22d3fc093544a00d5bb9c4584ce373a2e28d25d0498f2e1268a348e
                                        • Instruction ID: 8f3b3029216aa8b708308655b1f62dc6d0edba5752636d30170b9020095665b6
                                        • Opcode Fuzzy Hash: fe53f467f22d3fc093544a00d5bb9c4584ce373a2e28d25d0498f2e1268a348e
                                        • Instruction Fuzzy Hash: 8411D376404280DFCF16CF54E9C4B56BF71FB84324F24C6A9D8450BA16C336E456CBA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011AD1CF Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.371979820.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11ad000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9e45f970d755bf8540e392f6c283eccc78c03fee794c0b2575e6450a2c60a458
                                        • Instruction ID: cfa83d9e1ad8054e0b043835dacc78f465a81e0b3148bd2b8c4c16be5305572c
                                        • Opcode Fuzzy Hash: 9e45f970d755bf8540e392f6c283eccc78c03fee794c0b2575e6450a2c60a458
                                        • Instruction Fuzzy Hash: B411BE79904680DFCF06CF54D5C4B15BF71FB84224F24C6AAD8494BA56C33AD44ACB62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0119D745 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.371882884.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_119d000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3597ec1994df7ed972ab71b0dfa06707732911f5de0a06793181afe8ccb76885
                                        • Instruction ID: c7ff155685e9ec41b8d65ddb758f9dc15576f88a17a8061a4c303b865ec7dbf4
                                        • Opcode Fuzzy Hash: 3597ec1994df7ed972ab71b0dfa06707732911f5de0a06793181afe8ccb76885
                                        • Instruction Fuzzy Hash: B90147715047C0AAEF1C5E95EC84BAAFF98EF4123CF08841AED241B742D7789444C6B2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0119D744 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.371882884.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_119d000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c2f982d2ba6738c8c8acdd9f0f58eb117fb759945270b33b4db795802b3e3d1a
                                        • Instruction ID: cbba6f9e313f390001e412aa379fa04b32d9ef130f385f9a0175d8c33ee8f3fa
                                        • Opcode Fuzzy Hash: c2f982d2ba6738c8c8acdd9f0f58eb117fb759945270b33b4db795802b3e3d1a
                                        • Instruction Fuzzy Hash: 97F0C271404384AAEB148E59DC88B66FF98EB41638F18C45AED185B686C3799844CAB1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 011FC994 Relevance: .3, Instructions: 265COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.372155660.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_11f0000_PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ba7d28ad9d5bf9265472ae63b3dc499b83ae6f87f37bcb118ed197f2c3e44fb1
                                        • Instruction ID: cdd34df89ea6e31682b1f830a88ab448248960a11a048a9b6bffa765292f2918
                                        • Opcode Fuzzy Hash: ba7d28ad9d5bf9265472ae63b3dc499b83ae6f87f37bcb118ed197f2c3e44fb1
                                        • Instruction Fuzzy Hash: 0EA19F32E0121ACFCF19DFA5C8445DDBBB2FF84304F16856AEA05BB265EB31A945CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:14.6%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:90
                                        Total number of Limit Nodes:8
                                        execution_graph 41242 6d0ca70 DuplicateHandle 41243 6d0cb06 41242->41243 41252 6d02ee0 41253 6d02eff LdrInitializeThunk 41252->41253 41255 6d02f50 41253->41255 41309 69b8259 41310 69b823d 41309->41310 41311 69b80fd 41309->41311 41311->41310 41312 69b8a3c LdrInitializeThunk 41311->41312 41312->41311 41313 6d06888 41314 6d0689d 41313->41314 41315 6d06b7c 41314->41315 41316 6d07bd8 GlobalMemoryStatusEx GlobalMemoryStatusEx 41314->41316 41318 6d06d30 41314->41318 41316->41314 41321 6d06df8 41318->41321 41319 6d06d57 41319->41314 41322 6d06e0c 41321->41322 41324 6d06e4a 41321->41324 41326 6d06df8 2 API calls 41322->41326 41323 6d06e22 41327 6d07bd8 41323->41327 41324->41319 41326->41323 41328 6d07bf3 41327->41328 41330 6d07c1b 41327->41330 41328->41324 41329 6d07c71 41329->41324 41330->41329 41331 6d07d0f 41330->41331 41334 6d07d1d 41330->41334 41332 6d06d30 2 API calls 41331->41332 41333 6d07d16 41332->41333 41333->41324 41334->41333 41336 6d080e8 41334->41336 41339 6d08120 41336->41339 41337 6d080f6 41337->41333 41340 6d0812d 41339->41340 41341 6d08155 41339->41341 41340->41337 41347 6d066fc 41341->41347 41344 6d08176 41344->41337 41345 6d0823e GlobalMemoryStatusEx 41346 6d0826e 41345->41346 41346->41337 41348 6d081f8 GlobalMemoryStatusEx 41347->41348 41350 6d08172 41348->41350 41350->41344 41350->41345 41244 17aadd0 41245 17aadee 41244->41245 41248 17a9dc0 41245->41248 41247 17aae25 41249 17ac8f0 LoadLibraryA 41248->41249 41251 17ac9cc 41249->41251 41260 17a4540 41261 17a4554 41260->41261 41264 17a478a 41261->41264 41271 17a49e8 41264->41271 41275 17a4986 41264->41275 41279 17a4870 41264->41279 41283 17a496c 41264->41283 41287 17a485f 41264->41287 41265 17a455d 41272 17a49ee 41271->41272 41273 17a4a00 41272->41273 41291 17a4f1f 41272->41291 41273->41265 41276 17a4999 41275->41276 41277 17a49ab 41275->41277 41296 17a4c67 41276->41296 41280 17a48b4 41279->41280 41281 17a49ab 41280->41281 41282 17a4c67 2 API calls 41280->41282 41282->41281 41284 17a491f 41283->41284 41284->41283 41285 17a49ab 41284->41285 41286 17a4c67 2 API calls 41284->41286 41286->41285 41288 17a48b4 41287->41288 41289 17a49ab 41288->41289 41290 17a4c67 2 API calls 41288->41290 41290->41289 41292 17a4f2a 41291->41292 41293 17a4f8f 41291->41293 41292->41273 41294 17a4fd7 RtlEncodePointer 41293->41294 41295 17a5000 41293->41295 41294->41295 41295->41273 41297 17a4c86 41296->41297 41301 17a4cc8 41297->41301 41305 17a4cb9 41297->41305 41298 17a4c96 41298->41277 41302 17a4d02 41301->41302 41303 17a4d2c RtlEncodePointer 41302->41303 41304 17a4d55 41302->41304 41303->41304 41304->41298 41306 17a4d02 41305->41306 41307 17a4d2c RtlEncodePointer 41306->41307 41308 17a4d55 41306->41308 41307->41308 41308->41298 41351 69ba3c0 41355 69ba3df 41351->41355 41352 69ba648 41354 69b6260 RegQueryValueExW 41354->41355 41355->41352 41355->41354 41356 69b6254 41355->41356 41357 69ba6d0 RegOpenKeyExW 41356->41357 41359 69ba796 41357->41359

                                        Executed Functions

                                        Function 0698C398 Relevance: 3.3, Instructions: 3282COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2622448d78d593f1108be07fe733e6041b0a09c434d7ecf4100d22ff4e9dcbec
                                        • Instruction ID: e3afd37c64b5fd1dcde18cfec0ebcf788511e776266d8d34e9b3929a5815b42a
                                        • Opcode Fuzzy Hash: 2622448d78d593f1108be07fe733e6041b0a09c434d7ecf4100d22ff4e9dcbec
                                        • Instruction Fuzzy Hash: 24733F31D107598ECB50EF68C884AADF7B1FF99300F15D69AE459A7621EB30AAC4CF41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 069B8040 Relevance: 2.4, APIs: 1, Instructions: 949libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 855 69b8040-69b809e 862 69b823d-69b8247 855->862 863 69b80a4-69b80cf 855->863 867 69b824d-69b8277 863->867 868 69b80d5-69b80f7 863->868 872 69b8279-69b8283 867->872 873 69b829c-69b82b0 867->873 868->862 871 69b80fd-69b8106 868->871 871->867 876 69b810c-69b8114 871->876 874 69b8298-69b829b 872->874 875 69b8285-69b8296 872->875 880 69b82b2-69b82ea 873->880 881 69b8237 873->881 875->874 878 69b811a-69b812d 876->878 879 69b8228-69b822c 876->879 888 69b8133-69b8177 878->888 889 69b8212-69b8223 878->889 882 69b8248 879->882 883 69b822e-69b8234 879->883 890 69b82f2-69b82f8 880->890 881->862 881->871 882->867 883->881 888->889 906 69b817d-69b8197 888->906 889->879 892 69b8301-69b83be 890->892 924 69b83c0-69b8401 892->924 925 69b8415-69b841f 892->925 906->889 909 69b8199-69b81af 906->909 909->889 915 69b81b1-69b81ca 909->915 915->889 921 69b81cc-69b8210 915->921 921->879 924->925 934 69b8403-69b8413 924->934 929 69b8425-69b842d 925->929 932 69b8437-69b8440 929->932 1117 69b8442 call 69b92e8 932->1117 1118 69b8442 call 69b92e0 932->1118 934->929 935 69b8447-69b8455 940 69b8457-69b8e3d 935->940 941 69b8465-69b8812 935->941 981 69b8818-69b8825 941->981 982 69b8dfd-69b8e20 941->982 983 69b882b-69b8896 981->983 984 69b8e25-69b8e2f 981->984 982->984 983->982 995 69b889c-69b88d1 983->995 998 69b88fa-69b8902 995->998 999 69b88d3-69b88f8 995->999 1002 69b8905-69b894e call 69b6184 998->1002 999->1002 1008 69b8de4-69b8dea 1002->1008 1009 69b8954-69b895c 1002->1009 1008->982 1010 69b8dec-69b8df5 1008->1010 1011 69b8966-69b8978 call 69b6190 1009->1011 1010->983 1012 69b8dfb 1010->1012 1014 69b897d-69b89ac 1011->1014 1012->984 1014->1008 1017 69b89b2-69b89bc 1014->1017 1017->1008 1018 69b89c2-69b89d5 1017->1018 1018->1008 1019 69b89db-69b8a02 1018->1019 1023 69b8a08-69b8a0b 1019->1023 1024 69b8da5-69b8dc8 1019->1024 1023->1024 1025 69b8a11-69b8a35 1023->1025 1032 69b8dcd-69b8dd3 1024->1032 1033 69b8a3c-69b8a4b LdrInitializeThunk 1025->1033 1032->982 1035 69b8dd5-69b8dde 1032->1035 1036 69b8a51-69b8aa0 1033->1036 1035->1008 1035->1019 1044 69b8aa6-69b8adf 1036->1044 1045 69b8be5-69b8beb 1036->1045 1049 69b8c01-69b8c07 1044->1049 1062 69b8ae5-69b8b1b 1044->1062 1046 69b8bf9 1045->1046 1047 69b8bed-69b8bef 1045->1047 1046->1049 1047->1046 1050 69b8c09-69b8c0b 1049->1050 1051 69b8c15-69b8c18 1049->1051 1050->1051 1053 69b8c23-69b8c29 1051->1053 1055 69b8c2b-69b8c2d 1053->1055 1056 69b8c37-69b8c3a 1053->1056 1055->1056 1058 69b8b89-69b8bb9 call 69b619c 1056->1058 1065 69b8bbb-69b8bda 1058->1065 1068 69b8c3f-69b8c6d call 69b61a8 1062->1068 1069 69b8b21-69b8b44 1062->1069 1072 69b8c72-69b8cc4 1065->1072 1073 69b8be0 1065->1073 1068->1065 1069->1068 1079 69b8b4a-69b8b7d 1069->1079 1092 69b8cce-69b8cd4 1072->1092 1093 69b8cc6-69b8ccc 1072->1093 1073->1032 1079->1053 1091 69b8b83 1079->1091 1091->1058 1095 69b8ce2 1092->1095 1096 69b8cd6-69b8cd8 1092->1096 1094 69b8ce5-69b8d03 1093->1094 1100 69b8d27-69b8da3 1094->1100 1101 69b8d05-69b8d15 1094->1101 1095->1094 1096->1095 1100->1032 1101->1100 1104 69b8d17-69b8d20 1101->1104 1104->1100 1117->935 1118->935
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618508653.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_69b0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 0e575f8e183d0fe6523a8bf0f69d119e8ee33b8ff371597c1f519751c49a6c47
                                        • Instruction ID: aa2c64a71ce271b6b69a0df51644854a72b043e67be723b6ba3f7b2ac22ea537
                                        • Opcode Fuzzy Hash: 0e575f8e183d0fe6523a8bf0f69d119e8ee33b8ff371597c1f519751c49a6c47
                                        • Instruction Fuzzy Hash: E7823930E007198FCB64EF78C95469DB7B6AF89340F1085AAD44AAB355EF349E85CF81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0698D3D0 Relevance: 1.9, Instructions: 1887COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d6d076538ce5824813f75bf548ec13e0434c923fb7af5644f8083a206f832bea
                                        • Instruction ID: 83aa87282a97cad6fdfde718792c5b2e4e7a03b103939b0d469400510dc1697f
                                        • Opcode Fuzzy Hash: d6d076538ce5824813f75bf548ec13e0434c923fb7af5644f8083a206f832bea
                                        • Instruction Fuzzy Hash: E4131D31D107598ECB51EF68C8846ADF7B1FF99300F11D69AE458A7621EB30AAC4CF81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 069872B0 Relevance: 1.2, Instructions: 1185COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 630727e65a800a4e868e6b2afe2fd30696df9ac4577b84a45268b4035d17395d
                                        • Instruction ID: 715452b8b07e8748fb324d5ca528179711e1ca186c6b090a0f77d5a4f442f80a
                                        • Opcode Fuzzy Hash: 630727e65a800a4e868e6b2afe2fd30696df9ac4577b84a45268b4035d17395d
                                        • Instruction Fuzzy Hash: DCA29D34A003059FCB64EBB4D898A6DBBB2BF89304F2584A9E40ADB754DF359D42CF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06987750 Relevance: .7, Instructions: 734COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c80f3d90fbf5bacf1281415405fb1f15eb570cfd4c5e098c9fcd2f7d534823bc
                                        • Instruction ID: b67b02d46bd5cae48e7f97124eb889af46c9045e0d7f9c669db3ff92ca19c3b7
                                        • Opcode Fuzzy Hash: c80f3d90fbf5bacf1281415405fb1f15eb570cfd4c5e098c9fcd2f7d534823bc
                                        • Instruction Fuzzy Hash: 0A623B34A012059FCB64EB74D898B6DBBB2BF89310F5585A9E40A9B348DF349D82CF54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 069898F0 Relevance: .6, Instructions: 596COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 550c15d89f9d69b2e3d0514886b25d7c662635b7fce0d5dc45fa1ae8214c0a71
                                        • Instruction ID: 156516b5c1f9274a8246d7a5b649a5551b757e0143431d2f85e06f97d5a4b52d
                                        • Opcode Fuzzy Hash: 550c15d89f9d69b2e3d0514886b25d7c662635b7fce0d5dc45fa1ae8214c0a71
                                        • Instruction Fuzzy Hash: 5F22CE30B012059FCB54EBB8D8587AEBBA6AFC5304F148829E405DB795EF389D46CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06D058E0 Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1789 6d058e0-6d0592c LdrInitializeThunk 1793 6d05933-6d0593f 1789->1793 1794 6d05945-6d0594e 1793->1794 1795 6d05b3f-6d05b52 1793->1795 1796 6d05b74 1794->1796 1797 6d05954-6d05969 1794->1797 1798 6d05b79-6d05b7d 1795->1798 1796->1798 1802 6d05983-6d0599e 1797->1802 1803 6d0596b-6d0597e 1797->1803 1799 6d05b88 1798->1799 1800 6d05b7f 1798->1800 1800->1799 1810 6d059a0-6d059aa 1802->1810 1811 6d059ac 1802->1811 1804 6d05b13-6d05b17 1803->1804 1805 6d05b22 1804->1805 1806 6d05b19 1804->1806 1805->1795 1806->1805 1812 6d059b1-6d059b3 1810->1812 1811->1812 1813 6d059b5-6d059c8 1812->1813 1814 6d059cd-6d05a65 1812->1814 1813->1804 1832 6d05a73 1814->1832 1833 6d05a67-6d05a71 1814->1833 1834 6d05a78-6d05a7a 1832->1834 1833->1834 1835 6d05a7c-6d05a7e 1834->1835 1836 6d05abd-6d05b11 1834->1836 1837 6d05a80-6d05a8a 1835->1837 1838 6d05a8c 1835->1838 1836->1804 1840 6d05a91-6d05a93 1837->1840 1838->1840 1840->1836 1841 6d05a95-6d05abb 1840->1841 1841->1836
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618844318.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6d00000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 590394f9ec01752adae7206a7e38a4c5656a1225d6d65d2b06b089f73ad6315b
                                        • Instruction ID: 2e14201e181c6e5178ff9a9aa94097de7e77c8f8d1884e48c58f0a521913f728
                                        • Opcode Fuzzy Hash: 590394f9ec01752adae7206a7e38a4c5656a1225d6d65d2b06b089f73ad6315b
                                        • Instruction Fuzzy Hash: 1A613E30A113099FEB54EFB4E5587AEB7F2AF85305F508428E806A7394DF78A945CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06D02EE0 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1851 6d02ee0-6d02f4a LdrInitializeThunk 1859 6d02f50-6d02f6a 1851->1859 1860 6d03093-6d030b0 1851->1860 1859->1860 1863 6d02f70-6d02f8a 1859->1863 1872 6d030b5-6d030be 1860->1872 1866 6d02f90 1863->1866 1867 6d02f8c-6d02f8e 1863->1867 1869 6d02f93-6d02fee 1866->1869 1867->1869 1878 6d02ff0-6d02ff2 1869->1878 1879 6d02ff4 1869->1879 1880 6d02ff7-6d03091 1878->1880 1879->1880 1880->1872
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618844318.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6d00000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 262cdf8e8a995695d75e567c6c37d7c2dd5ba3b5c403886c9a25b37e50fb3cd3
                                        • Instruction ID: 32c222feb6bbc85e3947d1430f12463e9594e24f6c839ee74205875208404af5
                                        • Opcode Fuzzy Hash: 262cdf8e8a995695d75e567c6c37d7c2dd5ba3b5c403886c9a25b37e50fb3cd3
                                        • Instruction Fuzzy Hash: EF51A531A102059FDB54FBB4D888AAEB7F6BF85204F048969E5129B385EF74D904CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06D08120 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1897 6d08120-6d0812b 1898 6d08155-6d08174 call 6d066fc 1897->1898 1899 6d0812d-6d08154 1897->1899 1904 6d08176-6d08179 1898->1904 1905 6d0817a-6d081d9 1898->1905 1911 6d081db-6d081de 1905->1911 1912 6d081df-6d0826c GlobalMemoryStatusEx 1905->1912 1915 6d08275-6d0829d 1912->1915 1916 6d0826e-6d08274 1912->1916 1916->1915
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618844318.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6d00000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 71d9ee28d5c2f8ae157f80bad0663d01dd3f5c9f5fbaa1420c5a19f140d01fa2
                                        • Instruction ID: b7fd2e23745e3b5de15e74963515de5063454becea74a1212fe2996b1046134e
                                        • Opcode Fuzzy Hash: 71d9ee28d5c2f8ae157f80bad0663d01dd3f5c9f5fbaa1420c5a19f140d01fa2
                                        • Instruction Fuzzy Hash: F1411372E003558FDB00CFB9C8443DEBBB5EF89220F14866AD414A7780EB789846CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 069BA928 Relevance: 1.6, APIs: 1, Instructions: 121registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1919 69ba928-69ba947 1920 69ba949-69ba953 1919->1920 1921 69ba96c-69ba9f1 1919->1921 1922 69ba968-69ba96b 1920->1922 1923 69ba955-69ba966 1920->1923 1928 69ba9f9-69baa03 1921->1928 1929 69ba9f3-69ba9f6 1921->1929 1923->1922 1930 69baa0f-69baa51 RegQueryValueExW 1928->1930 1931 69baa05-69baa0d 1928->1931 1929->1928 1932 69baa5a-69baa94 1930->1932 1933 69baa53-69baa59 1930->1933 1931->1930 1937 69baa9e 1932->1937 1938 69baa96 1932->1938 1933->1932 1939 69baa9f 1937->1939 1938->1937 1939->1939
                                        APIs
                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 069BAA41
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618508653.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_69b0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: QueryValue
                                        • String ID:
                                        • API String ID: 3660427363-0
                                        • Opcode ID: f2ed63248451b5e8eaedc5293e1372885e19fa5f3620855fad402d823907f774
                                        • Instruction ID: 88ad8866567d01c179e4b35f885dbe883fa9a214bc1bf5e5a9b7607d2ef185c7
                                        • Opcode Fuzzy Hash: f2ed63248451b5e8eaedc5293e1372885e19fa5f3620855fad402d823907f774
                                        • Instruction Fuzzy Hash: C6413471D013499FCB10CFA9C984ADEBBFAEF49350F15806AE818AB750D7749905CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 069BA670 Relevance: 1.6, APIs: 1, Instructions: 119registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1940 69ba670-69ba68f 1941 69ba691-69ba69b 1940->1941 1942 69ba6b4-69ba720 1940->1942 1943 69ba69d-69ba6ae 1941->1943 1944 69ba6b0-69ba6b3 1941->1944 1948 69ba728 1942->1948 1949 69ba722-69ba725 1942->1949 1943->1944 1950 69ba732-69ba794 RegOpenKeyExW 1948->1950 1949->1948 1951 69ba79d-69ba7d5 1950->1951 1952 69ba796-69ba79c 1950->1952 1956 69ba7e8 1951->1956 1957 69ba7d7-69ba7e0 1951->1957 1952->1951 1958 69ba7e9 1956->1958 1957->1956 1958->1958
                                        APIs
                                        • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 069BA784
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618508653.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_69b0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: Open
                                        • String ID:
                                        • API String ID: 71445658-0
                                        • Opcode ID: 29c1f13f6df1ea73536e6152a8cbcc1dcf5a0adb56ae5b09cc7caa30b732adf6
                                        • Instruction ID: b2fe7bd6c978f584b4bb11505154d6a97b2e7277874c2fcf6922ec03f71cffc4
                                        • Opcode Fuzzy Hash: 29c1f13f6df1ea73536e6152a8cbcc1dcf5a0adb56ae5b09cc7caa30b732adf6
                                        • Instruction Fuzzy Hash: C44166B0D053499FDB00CF98C688BCEBBF5AF48314F28856AE408ABB55D7759845CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017AC8E4 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1978 17ac8e4-17ac947 1979 17ac949-17ac953 1978->1979 1980 17ac980-17ac9ca LoadLibraryA 1978->1980 1979->1980 1981 17ac955-17ac957 1979->1981 1987 17ac9cc-17ac9d2 1980->1987 1988 17ac9d3-17aca04 1980->1988 1982 17ac97a-17ac97d 1981->1982 1983 17ac959-17ac963 1981->1983 1982->1980 1985 17ac967-17ac976 1983->1985 1986 17ac965 1983->1986 1985->1985 1989 17ac978 1985->1989 1986->1985 1987->1988 1991 17aca06-17aca0a 1988->1991 1992 17aca14 1988->1992 1989->1982 1991->1992 1994 17aca0c 1991->1994 1995 17aca15 1992->1995 1994->1992 1995->1995
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?), ref: 017AC9BA
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.610241748.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_17a0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 0e62351b3a2788beb14bd5f3d3c1e6562837ba217d3500e92316def5f94d52b2
                                        • Instruction ID: 09cf53e7b689daaba771358e9f0a9f3d66f0cd4696f9c5bcb1532aff11ef4c61
                                        • Opcode Fuzzy Hash: 0e62351b3a2788beb14bd5f3d3c1e6562837ba217d3500e92316def5f94d52b2
                                        • Instruction Fuzzy Hash: 033132B0D00249EFDB15CFA8C885BEEFFB1AB48314F14862AE815A7380D7749485CF92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A9DC0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1959 17a9dc0-17ac947 1961 17ac949-17ac953 1959->1961 1962 17ac980-17ac9ca LoadLibraryA 1959->1962 1961->1962 1963 17ac955-17ac957 1961->1963 1969 17ac9cc-17ac9d2 1962->1969 1970 17ac9d3-17aca04 1962->1970 1964 17ac97a-17ac97d 1963->1964 1965 17ac959-17ac963 1963->1965 1964->1962 1967 17ac967-17ac976 1965->1967 1968 17ac965 1965->1968 1967->1967 1971 17ac978 1967->1971 1968->1967 1969->1970 1973 17aca06-17aca0a 1970->1973 1974 17aca14 1970->1974 1971->1964 1973->1974 1976 17aca0c 1973->1976 1977 17aca15 1974->1977 1976->1974 1977->1977
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?), ref: 017AC9BA
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.610241748.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_17a0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: b7acdb0564b64667bc5fc2aed78578b3485dfffa5ce3f8a2dd3284f7d91f7ef1
                                        • Instruction ID: 39b453ba264e603fc8a7cd5b98408e90637e9aed8a2f499bbb929cf57ce5362a
                                        • Opcode Fuzzy Hash: b7acdb0564b64667bc5fc2aed78578b3485dfffa5ce3f8a2dd3284f7d91f7ef1
                                        • Instruction Fuzzy Hash: 6D3134B1D00249EFDB15CFA8C885BEEFBB1BB48314F548629E815A7380D7749845CF96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 069B6260 Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1996 69b6260-69ba9f1 1999 69ba9f9-69baa03 1996->1999 2000 69ba9f3-69ba9f6 1996->2000 2001 69baa0f-69baa51 RegQueryValueExW 1999->2001 2002 69baa05-69baa0d 1999->2002 2000->1999 2003 69baa5a-69baa94 2001->2003 2004 69baa53-69baa59 2001->2004 2002->2001 2008 69baa9e 2003->2008 2009 69baa96 2003->2009 2004->2003 2010 69baa9f 2008->2010 2009->2008 2010->2010
                                        APIs
                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 069BAA41
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618508653.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_69b0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: QueryValue
                                        • String ID:
                                        • API String ID: 3660427363-0
                                        • Opcode ID: f727695a5fdcf9046f19f2e3cbb6ca5f623f07998d469a0e27be8e43c15a5e1b
                                        • Instruction ID: b09c885eaea062cb354e4728a60b9610bba576481e155ddf396bb8ef2a703b2d
                                        • Opcode Fuzzy Hash: f727695a5fdcf9046f19f2e3cbb6ca5f623f07998d469a0e27be8e43c15a5e1b
                                        • Instruction Fuzzy Hash: A531EFB1D002599FCB20CF9ADA84ACEBBF5FB48310F54812AE819AB710D7749945CFA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 069B6254 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2630 69b6254-69ba720 2632 69ba728-69ba794 RegOpenKeyExW 2630->2632 2633 69ba722-69ba725 2630->2633 2635 69ba79d-69ba7d5 2632->2635 2636 69ba796-69ba79c 2632->2636 2633->2632 2640 69ba7e8 2635->2640 2641 69ba7d7-69ba7e0 2635->2641 2636->2635 2642 69ba7e9 2640->2642 2641->2640 2642->2642
                                        APIs
                                        • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 069BA784
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618508653.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_69b0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: Open
                                        • String ID:
                                        • API String ID: 71445658-0
                                        • Opcode ID: bcd5df20e698c87d118c8c0efbdf05a3b5ee8e0a7a48c0a9adf1a75bb97ceddc
                                        • Instruction ID: 0cdfd8625823325b1770cfacbb82fc1ac2c1484ff9984ba303937c65bfede6e4
                                        • Opcode Fuzzy Hash: bcd5df20e698c87d118c8c0efbdf05a3b5ee8e0a7a48c0a9adf1a75bb97ceddc
                                        • Instruction Fuzzy Hash: 133102B0D052499FDB00CF99C684ACEFBF5FB48314F24816AE409AB705D7B59845CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06D0CA70 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2643 6d0ca70-6d0cb04 DuplicateHandle 2644 6d0cb06-6d0cb0c 2643->2644 2645 6d0cb0d-6d0cb2a 2643->2645 2644->2645
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06D0CAF7
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618844318.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6d00000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 68e593409ecc8de2b57368ec6be7a8af55198d0e3399333f4cfda998cfb3af14
                                        • Instruction ID: 999c10dab1aef9eb782b7b76882308eb7b66a9615b8cdea88073e3f856d0cc34
                                        • Opcode Fuzzy Hash: 68e593409ecc8de2b57368ec6be7a8af55198d0e3399333f4cfda998cfb3af14
                                        • Instruction Fuzzy Hash: DE21C2B5D00249AFDB10CFAAD984ADEBBF8EB48324F14851AE914A3750D374A944CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A4F1F Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2648 17a4f1f-17a4f28 2649 17a4f2a-17a4f33 2648->2649 2650 17a4f8f-17a4fb8 call 17a4da0 call 17a4df8 2648->2650 2651 17a4f3e 2649->2651 2652 17a4f39 call 17a4838 2649->2652 2660 17a4fba-17a4fbc 2650->2660 2661 17a4fbe 2650->2661 2655 17a4f4e-17a4f66 call 17a4a88 2651->2655 2652->2651 2662 17a4fc3-17a4fcb 2660->2662 2661->2662 2663 17a4fcd-17a4ffe RtlEncodePointer 2662->2663 2664 17a5027-17a5039 2662->2664 2666 17a5000-17a5006 2663->2666 2667 17a5007-17a501d 2663->2667 2666->2667 2667->2664
                                        APIs
                                        • RtlEncodePointer.NTDLL(00000000), ref: 017A4FED
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.610241748.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_17a0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: EncodePointer
                                        • String ID:
                                        • API String ID: 2118026453-0
                                        • Opcode ID: dde7f118606f04cdeb93e9e429b5dc0c481cba20d854b466f5004b9a2e79a80d
                                        • Instruction ID: 161aa7c04e146713f5c163fa0016dd4c430aa11a51d4ae268fa2bacf7b91774c
                                        • Opcode Fuzzy Hash: dde7f118606f04cdeb93e9e429b5dc0c481cba20d854b466f5004b9a2e79a80d
                                        • Instruction Fuzzy Hash: 1F219D70900345CFDB60DF68E4497DDBFF4AB48304F54962AE809E7241CBBAA5448F96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A4CB9 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2669 17a4cb9-17a4d0a 2672 17a4d0c-17a4d0e 2669->2672 2673 17a4d10 2669->2673 2674 17a4d15-17a4d20 2672->2674 2673->2674 2675 17a4d22-17a4d53 RtlEncodePointer 2674->2675 2676 17a4d81-17a4d8e 2674->2676 2678 17a4d5c-17a4d7c 2675->2678 2679 17a4d55-17a4d5b 2675->2679 2678->2676 2679->2678
                                        APIs
                                        • RtlEncodePointer.NTDLL(00000000), ref: 017A4D42
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.610241748.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_17a0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: EncodePointer
                                        • String ID:
                                        • API String ID: 2118026453-0
                                        • Opcode ID: f967a706c9998737a854631bd449fa8734a48c1510ae8574cd857dd7d495d2d9
                                        • Instruction ID: 18070fbd61b0d5595e57eacaa2b8de1b675ed2536ccac21e26ed0a464d128fbd
                                        • Opcode Fuzzy Hash: f967a706c9998737a854631bd449fa8734a48c1510ae8574cd857dd7d495d2d9
                                        • Instruction Fuzzy Hash: E921B870900306CFCB10DFA8C94979EBBF4EF04314F58856AD806A7A00D7786444CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06D066FC Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2681 6d066fc-6d0826c GlobalMemoryStatusEx 2684 6d08275-6d0829d 2681->2684 2685 6d0826e-6d08274 2681->2685 2685->2684
                                        APIs
                                        • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06D08172), ref: 06D0825F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618844318.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6d00000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID:
                                        • API String ID: 1890195054-0
                                        • Opcode ID: 4af89a47dd46822529761449ff8c1a1cdeeddaf98e35d1d6f57ddc03e6021c7e
                                        • Instruction ID: b02d268b02ba9c4a27e9a3dd515716e096527c87fde7813f5f7c0d77db2653a2
                                        • Opcode Fuzzy Hash: 4af89a47dd46822529761449ff8c1a1cdeeddaf98e35d1d6f57ddc03e6021c7e
                                        • Instruction Fuzzy Hash: D311F2B1C0061A9FDB10CFAAD8447DEFBB4AB48324F04816AD814A7750E778A955CFE5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017A4CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlEncodePointer.NTDLL(00000000), ref: 017A4D42
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.610241748.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_17a0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: EncodePointer
                                        • String ID:
                                        • API String ID: 2118026453-0
                                        • Opcode ID: 709ba719298e84c6b23ed7627bc241c501adaaf5d7b908e61f9e762e5a56f2d7
                                        • Instruction ID: 7ffcf785118e3e4a330170505b53f1b53736614cd9f193d5e3c0bc7e01555c6f
                                        • Opcode Fuzzy Hash: 709ba719298e84c6b23ed7627bc241c501adaaf5d7b908e61f9e762e5a56f2d7
                                        • Instruction Fuzzy Hash: 2311A970A0030ACFDB10DFA8D9087DEBFF8EB44324F548569D805A7A40DBB96884CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 069889A0 Relevance: .5, Instructions: 535COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4cb2432c7dac7ab96e36e24c9717f91e695aabb7642d163f50e2ebf8242394f7
                                        • Instruction ID: 7ca11226652166ec98d8f569472f8a700cee65aa20f36dd3ae26ab2d8c84e971
                                        • Opcode Fuzzy Hash: 4cb2432c7dac7ab96e36e24c9717f91e695aabb7642d163f50e2ebf8242394f7
                                        • Instruction Fuzzy Hash: F112C030B012059FDB54FBB8D848BADB7A2BF84364F148629E416DB799EB35DC05CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06984EB0 Relevance: .5, Instructions: 526COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 17e541a6c56acd5faff247f9c4f9bb787a4ec520938648e0cd5078a7cd070bee
                                        • Instruction ID: 1dd49cafdc9dfe457048a8bf7485148e65424074f4ab052098d725a98dee7c2f
                                        • Opcode Fuzzy Hash: 17e541a6c56acd5faff247f9c4f9bb787a4ec520938648e0cd5078a7cd070bee
                                        • Instruction Fuzzy Hash: 6902BE31F002059FDB94EBB8D8456AEBBF6EB88310F254469E406DB754EB35DC4ACB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06986030 Relevance: .4, Instructions: 426COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8ae7c4f3298b1321bd791685b0e6086e6198376e5e589163f26c57ffde7df7b1
                                        • Instruction ID: b88721ab57bad1907741780534a27377a9503afedc81e17d4e7410410cfc57ca
                                        • Opcode Fuzzy Hash: 8ae7c4f3298b1321bd791685b0e6086e6198376e5e589163f26c57ffde7df7b1
                                        • Instruction Fuzzy Hash: 6DD10730B183858FE3069779CC157667BEA9B86344F6984B6D508CFB93EA38DC0AC751
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0174E16B Relevance: .3, Instructions: 309COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.610038030.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_174d000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6acc09be33fac4799be1ae084ae13dbbfa2a73dfbcb1c68ef7bbb4fdb1c78f83
                                        • Instruction ID: 77501690ac5fd717e81b90bd7bcbc97cf9c61852fc48dcf38623d44f088d3371
                                        • Opcode Fuzzy Hash: 6acc09be33fac4799be1ae084ae13dbbfa2a73dfbcb1c68ef7bbb4fdb1c78f83
                                        • Instruction Fuzzy Hash: DF812A3144E3C58FD7238B74D8607827FB1AF47224F1985EBC485CE1A3D26E895ACB62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0698B6D0 Relevance: .3, Instructions: 278COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 00cd550b1813b793daecf630b009e24aad256bb3b28231d2830f45315da49cb2
                                        • Instruction ID: 2784c74e6260d4a2d2e0e655c05ef87564a883edc2c927bc65a56ea9c2e8f2a4
                                        • Opcode Fuzzy Hash: 00cd550b1813b793daecf630b009e24aad256bb3b28231d2830f45315da49cb2
                                        • Instruction Fuzzy Hash: 41A16A30B01205DFDB50AB70D898B6DB7A6EF84325F258628E5269B3D8EF759D05CF80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0698B4E0 Relevance: .2, Instructions: 237COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8e5aefee655921abcb18e38666bdde4ed3b8ac764a4ff8b1166933a9a589951c
                                        • Instruction ID: abf92882ea9ff0884521898d2cd29785729db75b432814e3d7e41a27adf1a0cc
                                        • Opcode Fuzzy Hash: 8e5aefee655921abcb18e38666bdde4ed3b8ac764a4ff8b1166933a9a589951c
                                        • Instruction Fuzzy Hash: 9C710A30B0E3815FD30297749C686667FA69F86250F2984F6E444CF797EA29CD09C762
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0698C0D8 Relevance: .2, Instructions: 210COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b4e8ea6a0ceb157b1723176ac20a733fcbafc9761865d7c7fc436baba7f4e51
                                        • Instruction ID: c8743ee2e279733fd086671590b5d52eba573af508ce54d6b4d9ad2437ac82d2
                                        • Opcode Fuzzy Hash: 5b4e8ea6a0ceb157b1723176ac20a733fcbafc9761865d7c7fc436baba7f4e51
                                        • Instruction Fuzzy Hash: D471D430E00240CFDB94EBB9C44479DBBA6EF85304F24C1AAD819ABB99D775C846C7A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06985D73 Relevance: .2, Instructions: 184COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 746e56852ad404df1dd95fc72994b0c359cd45785029f13f0ac05e1504f78fc5
                                        • Instruction ID: 2957518ca09f844066f6e31b9592953be718e63b8099f7dcd19000a8e11222a0
                                        • Opcode Fuzzy Hash: 746e56852ad404df1dd95fc72994b0c359cd45785029f13f0ac05e1504f78fc5
                                        • Instruction Fuzzy Hash: AC812974A01308DFCB44EFB4E49559DBBB9FB49300F109969D8049B754EB38AD4ACF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0698BFD9 Relevance: .2, Instructions: 169COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 378b6bdc8bced339afaee3b47898601397fe1f50a7fc8e013715c86bfbb5b5bb
                                        • Instruction ID: f9c539a778e62c67dcdbc082cf856390a4c41350ffc4036d3dd07b985fcd7130
                                        • Opcode Fuzzy Hash: 378b6bdc8bced339afaee3b47898601397fe1f50a7fc8e013715c86bfbb5b5bb
                                        • Instruction Fuzzy Hash: B651EC30B093809FD7529774985479A7F9ACB82344F29C0EBD4588FADBD679C80AC772
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06985E18 Relevance: .1, Instructions: 125COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: efe23cc9b51654fed0185bd3ed029abc4fe4e79de69403a6775ae533871e6379
                                        • Instruction ID: 919f0323f53c72b6f3523bcca666141e75c0438a8aa273a0aaefd03bb0a1d263
                                        • Opcode Fuzzy Hash: efe23cc9b51654fed0185bd3ed029abc4fe4e79de69403a6775ae533871e6379
                                        • Instruction Fuzzy Hash: 6651C274D01308DFCB54EFA4E49589DBBB9FB58300B209929D815AB314EB38AE45CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0698BEA0 Relevance: .1, Instructions: 103COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9d0c9e7a005de3d078c80173ad177b320618d20a6d8e65f9a014f04e85f48096
                                        • Instruction ID: d81aac92c92b8e423b6bd69100ba9ba4a63cbdd1d023930bfc8262c71ad356e7
                                        • Opcode Fuzzy Hash: 9d0c9e7a005de3d078c80173ad177b320618d20a6d8e65f9a014f04e85f48096
                                        • Instruction Fuzzy Hash: 96312934B093855FD702E77498186AB7BEA9F86240F1944F6D508CBB96E738CD05C7A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06986500 Relevance: .1, Instructions: 103COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a77878df7ed8be277d7722683a5c7c4c5b5694b8e508aca3bef9209140a0e5b5
                                        • Instruction ID: e617440fe55dcd4a69a60a4435885eb5363fe17aa44a9fe08befcf2114b8a65d
                                        • Opcode Fuzzy Hash: a77878df7ed8be277d7722683a5c7c4c5b5694b8e508aca3bef9209140a0e5b5
                                        • Instruction Fuzzy Hash: A031DE31F002058FCB64BB74D4586AEBBF7AF89244B148828D406DB349EF34DC06CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06986510 Relevance: .1, Instructions: 99COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7333a410d25100cecb7874627190a0fe813401b0fbe6c6aa7cd0e6f706bd2015
                                        • Instruction ID: 64dc81a54db7dcafb6ae58264366bc95f621ba09c87a8dfded1f3eba7bc7a5bf
                                        • Opcode Fuzzy Hash: 7333a410d25100cecb7874627190a0fe813401b0fbe6c6aa7cd0e6f706bd2015
                                        • Instruction Fuzzy Hash: 2C319C31F002058FCB64AB74D4586AEB7F7AF89245B108869D406DB389EF78DC05CBA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 069890D0 Relevance: .1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1c36ef231694cf64b833131590b6eb4048646437f899c4778976730b668ddff9
                                        • Instruction ID: 01dc852feb6af76f686b9bbd53704bf35eccd926fa5b3b52fd3e3a7e34b4d8d9
                                        • Opcode Fuzzy Hash: 1c36ef231694cf64b833131590b6eb4048646437f899c4778976730b668ddff9
                                        • Instruction Fuzzy Hash: 1321E634B043459FCB81EB78DC559AEBBF6BF89210B10446AE10ADB751EF388C01CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06989327 Relevance: .1, Instructions: 88COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9086e83c0ff073a0c09d5577cdc8d0b96721f5e84c63eccf58da3287f7dfb43c
                                        • Instruction ID: d4f865b36e7ca8a4afdafc460c4184623f405544a41b2cffc6d949e3a71362ad
                                        • Opcode Fuzzy Hash: 9086e83c0ff073a0c09d5577cdc8d0b96721f5e84c63eccf58da3287f7dfb43c
                                        • Instruction Fuzzy Hash: 1421D630B043058FC785EB79DC449AE77F6EB89204F50847AD549DB751EB389D06CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06984E60 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 55c3c9b608d061d43b6202f00b3e52ccf0d08edf11440dee6f5be426a960a2da
                                        • Instruction ID: e0692f656764f65a69f61693cfc18cc9238c61fb186a03ae1aa3adbaceb7cab3
                                        • Opcode Fuzzy Hash: 55c3c9b608d061d43b6202f00b3e52ccf0d08edf11440dee6f5be426a960a2da
                                        • Instruction Fuzzy Hash: 8B21A674E012099FCB85DFA8D984A9EBBF6EF88314F15846AD408DB741E735DC45CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0698B419 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e5bbcdd611b86e84a5cf95ef8a5d2d3dcf384f450d8c1ab7b73f2d88fee493a8
                                        • Instruction ID: e0770268364e7ea95ecde434a30c0b77ed91ab6956ad67a15a13a9261217e1d9
                                        • Opcode Fuzzy Hash: e5bbcdd611b86e84a5cf95ef8a5d2d3dcf384f450d8c1ab7b73f2d88fee493a8
                                        • Instruction Fuzzy Hash: BA21A83070E3C05FD30797349C19AA37FAA8F86244F1984E7E448CB697D6298C09C372
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06985428 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 342b0e8138378144d371c8f3043e1da23b919e2a8e2ced231475d8c967cdbad3
                                        • Instruction ID: 0e2c0bce806250280d330b124d2e0d16cb0680bf98ccf21f8f14099286d2dd8e
                                        • Opcode Fuzzy Hash: 342b0e8138378144d371c8f3043e1da23b919e2a8e2ced231475d8c967cdbad3
                                        • Instruction Fuzzy Hash: E6219F31F002159FDB90EFB898086AEBBF5AF88651F118065E916E7344EF349D058BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0173D3EC Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.609976051.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_173d000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eb2971bf040b4f7d58e6ee3666a4f9311e7b1288d0a7e045c0c6f2b4cc85183b
                                        • Instruction ID: 840415db038c67ce1ab17f827fb81fc467c222cbd5c7b0cdb2069aad23ca9f22
                                        • Opcode Fuzzy Hash: eb2971bf040b4f7d58e6ee3666a4f9311e7b1288d0a7e045c0c6f2b4cc85183b
                                        • Instruction Fuzzy Hash: 6721F1B1500240EFDB15DF94D8C0BA6FB66FBD4324F64C5A9EC490B607C336E856C6A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0173D4D8 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.609976051.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_173d000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: acfe44957c8f91dc758452a2beaedbc7646bd4fe3bd95f681466064a55956cf2
                                        • Instruction ID: 1100100c74b4ca08b71c355083617dbf21b3a501fc6e931696eb3ac4447595ef
                                        • Opcode Fuzzy Hash: acfe44957c8f91dc758452a2beaedbc7646bd4fe3bd95f681466064a55956cf2
                                        • Instruction Fuzzy Hash: BF210371600240EFDB25CF94D9C0B56FB65FBC8328F3485A9E8050B697C336D856CAA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0174E3DC Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.610038030.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_174d000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 39719b9a6e8a19394e89d48015c8747134c3da738d4f21d37b27f151a03be385
                                        • Instruction ID: 6cdef594ebe2e60a87e3a9d2fad4e5e3200747118c345be5d689d708bf1a0c0e
                                        • Opcode Fuzzy Hash: 39719b9a6e8a19394e89d48015c8747134c3da738d4f21d37b27f151a03be385
                                        • Instruction Fuzzy Hash: 9321F575504240EFDB05CF18D5C0B26FB65FB88334F24C9ADE9494B756CB3AD846CAA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0173D3E7 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.609976051.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_173d000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe53f467f22d3fc093544a00d5bb9c4584ce373a2e28d25d0498f2e1268a348e
                                        • Instruction ID: 5437b88e48b21f464741d8e0c0f69b180c8779320d2944c1bd8b099a5ed2ae8a
                                        • Opcode Fuzzy Hash: fe53f467f22d3fc093544a00d5bb9c4584ce373a2e28d25d0498f2e1268a348e
                                        • Instruction Fuzzy Hash: 38119A76404280DFCB12CF54D9C4B56BF72FB84320F28C6A9D8480B617C33AE45ACBA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0173D4D3 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.609976051.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_173d000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe53f467f22d3fc093544a00d5bb9c4584ce373a2e28d25d0498f2e1268a348e
                                        • Instruction ID: 0d68c98414cf3e66068554296d0272b04c72e7afadd993252ae5fc18821611ab
                                        • Opcode Fuzzy Hash: fe53f467f22d3fc093544a00d5bb9c4584ce373a2e28d25d0498f2e1268a348e
                                        • Instruction Fuzzy Hash: 1D11AF76504280DFCB12CF54D9C4B16FF72FB84324F2486A9D8050B657C33AD456CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06989388 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c7051a3c7c3055dee3b6269efcecb93624f6e4c64d66b354686753c98116a1eb
                                        • Instruction ID: 3b3f4d95775396f2b5f48fda3099658307dadad89d36965ac58a1ab655e38d7b
                                        • Opcode Fuzzy Hash: c7051a3c7c3055dee3b6269efcecb93624f6e4c64d66b354686753c98116a1eb
                                        • Instruction Fuzzy Hash: 4A110C31B002159F8B94EBBDD8859AEB7F5FBC8210B508429D51AEB754EF389D02CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06986440 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cb4ff5a2ba7b77cd1b515458422671d80faa59a2bdfe8478cdab03e79d3cf187
                                        • Instruction ID: 9c7def7000fab7f80b9397697d58af1948e629789d8bd473e653a2e0dcf362c4
                                        • Opcode Fuzzy Hash: cb4ff5a2ba7b77cd1b515458422671d80faa59a2bdfe8478cdab03e79d3cf187
                                        • Instruction Fuzzy Hash: FF110A75A003199F8B80EF7DD4499AEBBF5FB8C210710842AE54AD7354EB349D02CB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06988984 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4eac2889bec6f59f7e2f74e0494f4860b2f5dd6364a135f52da1d62ca35605a0
                                        • Instruction ID: 6afe68f5682ec0588d75b471a49c8a45499f4dc0724ab16914ec031767d18597
                                        • Opcode Fuzzy Hash: 4eac2889bec6f59f7e2f74e0494f4860b2f5dd6364a135f52da1d62ca35605a0
                                        • Instruction Fuzzy Hash: C0014231A022886FCB00A274AC517DEBBAADF86250F150876D648D7A42EB384C0983A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06989130 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e33495c5e5579abb68ad5d0f2a7189e4762065d912872a620383879966d4eae7
                                        • Instruction ID: 3ab2d1a6652aad9e6f6182dde652f1e40c6bc308d8e9b754ee60e101a1a709b9
                                        • Opcode Fuzzy Hash: e33495c5e5579abb68ad5d0f2a7189e4762065d912872a620383879966d4eae7
                                        • Instruction Fuzzy Hash: FA110C30B002158F8B94EBB9D8459AEB7F6BBC8210B508429D55AEB754EF389D01CBD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0698A010 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1270af4c3b4d57fa6bc4444b4027c08e15d9ca9602b45e39e91839c000c75c16
                                        • Instruction ID: 3c086438d4d803a218ea2268c2f5ac49e43bee4711617132eff55c35c15f0a06
                                        • Opcode Fuzzy Hash: 1270af4c3b4d57fa6bc4444b4027c08e15d9ca9602b45e39e91839c000c75c16
                                        • Instruction Fuzzy Hash: E211603090024AEFCB04DFA8E58459DBB75FF85309B50499AE855AB391EB312E05CF85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0698A020 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ebfd7e483c6db3b627d9bb5e3ee4d88caab9bb19786b591d6c343a8556c4d5dc
                                        • Instruction ID: 3e951ff5e86f88a3f4ab3f99bc9e9e960bfcfb36a7cf4df63b05e1eba9133a24
                                        • Opcode Fuzzy Hash: ebfd7e483c6db3b627d9bb5e3ee4d88caab9bb19786b591d6c343a8556c4d5dc
                                        • Instruction Fuzzy Hash: 9C11E87090020AEFCB44EFA8E5855ADFBB5FB84305B5089AAE805A7350EB316E058F84
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0698BF50 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1dbdb07ec6fba39159c19df1a3267def8551d9f55dc35f5b5feeff82de50f841
                                        • Instruction ID: 3d0ed5b169a9502e6d3f7e3e7d3398e8a87f2b455d8d41d4f5d8837f732bec5c
                                        • Opcode Fuzzy Hash: 1dbdb07ec6fba39159c19df1a3267def8551d9f55dc35f5b5feeff82de50f841
                                        • Instruction Fuzzy Hash: 3BF08271F002259F8B90FBB8A8156AF7AE99FC8660B140975D509E7344EE348E01CBD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06984DDF Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1160e7cfc24684c4429819aa1e7b39d5478c8fafa94ca1aa7219354cd24871c2
                                        • Instruction ID: bcb299100cdf6ff4864cbc35fe39692c404dc909f62e91f38c86282b1e3dc43f
                                        • Opcode Fuzzy Hash: 1160e7cfc24684c4429819aa1e7b39d5478c8fafa94ca1aa7219354cd24871c2
                                        • Instruction Fuzzy Hash: 57E0E575E042195F8750AA7D98055AE7FFCEA88611B154566E509D3300EA7149118BD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 069893E7 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9aa073cc2ceacbfcb5f4eae8cbf8728d622b56e585d2418d57a0fd7ad046af9
                                        • Instruction ID: cf820bc32cef48d4d35e8920b29813e825c089d8d1a73ac27d60ae0176a04a8a
                                        • Opcode Fuzzy Hash: f9aa073cc2ceacbfcb5f4eae8cbf8728d622b56e585d2418d57a0fd7ad046af9
                                        • Instruction Fuzzy Hash: 5AE0C935B001148F8BC5F7B8D85589D73A5BBC8215B508065D51AE7754EF289C06CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 069864A1 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6e527e8321b8b5a52b834733b249c16792507fe3284940358d64d12a7ea2bcdb
                                        • Instruction ID: f5971a95d315c621d77add3d95ae49d518da647ffddeb272fdd63e123bfc6028
                                        • Opcode Fuzzy Hash: 6e527e8321b8b5a52b834733b249c16792507fe3284940358d64d12a7ea2bcdb
                                        • Instruction Fuzzy Hash: E2E03935B102148FCF80EBB8D84989D77B1BB88221B008465E90AE3350EF389C01CBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0698918F Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3e27915bb3272f39cfb10c99c2c7129eb623569740dc2fd6d4c9165c608c9d24
                                        • Instruction ID: c71ecfc977b783c4b7339b5f47c98a70f76dc369b289b909eb8e69da1b8ab550
                                        • Opcode Fuzzy Hash: 3e27915bb3272f39cfb10c99c2c7129eb623569740dc2fd6d4c9165c608c9d24
                                        • Instruction Fuzzy Hash: 5FE0C235B002148F8FD4FBB8D8558ADB3A6BBC8221B108465E51AE7B54EF289D05CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06984DE8 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 96e91b281147f33d9696a89601e06ceb1d8b706de6cc50ada52da741df6f8cb1
                                        • Instruction ID: 17ac688ba5d8654523ede049d9469fb0705b4995b4950fc334c03c949f77baf7
                                        • Opcode Fuzzy Hash: 96e91b281147f33d9696a89601e06ceb1d8b706de6cc50ada52da741df6f8cb1
                                        • Instruction Fuzzy Hash: D0E04875E042199F8790EFBD98055AFBFF8EA8C611B104576E50DD3300EA704A11CBD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0698A0F0 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6a92a8e4b947e40b62da0e1740f3f1d261322bc0b0889f1a5bc1e897c15e6288
                                        • Instruction ID: 75abd85dc848712c81317e7756e516e9c1829745687fef525aa82a96ab56962f
                                        • Opcode Fuzzy Hash: 6a92a8e4b947e40b62da0e1740f3f1d261322bc0b0889f1a5bc1e897c15e6288
                                        • Instruction Fuzzy Hash: 01E09A3004A3C28FC7131634A816A653F28EF43204B2805DAE885CF4E2C6258847CBA6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0698A0C9 Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5dafcc7723bacdac3d1b7719fa56251f70ba483fcc0f709c994743279319d90d
                                        • Instruction ID: 7e74b9870f2571a98b5761217f783a7f5d9d1bd94d991c5dfb57c51c3c23066e
                                        • Opcode Fuzzy Hash: 5dafcc7723bacdac3d1b7719fa56251f70ba483fcc0f709c994743279319d90d
                                        • Instruction Fuzzy Hash: 96D0232104D1903FDB02F1703D01DE33F35C64210174543ABBC49C7643E2468D54C9F6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0698A100 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.618390404.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6980000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 049b0d7a9b5379b5799e57ed9557199aad93fddcda0060b728efb93e25f8388d
                                        • Instruction ID: 3b684192d56f972ac68b786de6f4f457bf5927dd4b7f126cbc3c215d7801b641
                                        • Opcode Fuzzy Hash: 049b0d7a9b5379b5799e57ed9557199aad93fddcda0060b728efb93e25f8388d
                                        • Instruction Fuzzy Hash: 67D01230A283148FDB603934A956336335DE745355F705836E406C7640EB66DC41CB45
                                        Uniqueness

                                        Uniqueness Score: -1.00%